The npm packages @tanstack/history (1.161.9, 1.161.12) and more than 50 other packages across the @tanstack, @mistralai, @uipath, @squawk, and safe-action namespaces have been compromised and use a classic drop-and-execute attack pattern to run an infostealer that harvests GitHub credentials and cloud secrets. The attack patterns are similar to past Shai-Hulud compromises and the recent [email protected] incident, behaving like a worm, automatically leveraging stolen credentials to infect additional npm packages. The fact that more than 50 packages were published in a single wave across several unrelated maintainer accounts (including widely depended-on libraries such as @tanstack/react-router, @tanstack/react-start, @mistralai/mistralai, and @uipath/cli) indicates that another wave of infected packages is likely incoming. Users who have installed any of the affected versions should check for suspicious activity, rotate their GitHub credentials, and audit any AWS credentials accessible from machines where the packages were installed.
How it works
During install, the compromised packages execute a script that downloads the Bun runtime from GitHub (codeload.github.com), then runs a tanstack_runner.js payload via bun run tanstack_runner.js. The payload executes gh auth token to harvest GitHub credentials, and reaches out to git-tanstack.com, a lookalike domain designed to blend in with legitimate tanstack.com traffic, for C2. Unlike the earlier [email protected] compromise, this variant also targets cloud workloads: it queries the AWS IMDS and then walks across STS and SSM endpoints in multiple regions, attempting to escalate from instance role credentials into broader AWS account access via Session Manager. The Bun binary is self-deleted after execution to reduce forensic traces. The attacker then leverages the stolen credentials to publish malicious versions of additional packages from any maintainer account to which the credentials grant access.
Affected packages
@tanstack/history: 1.161.9, 1.161.12
@tanstack/react-router: 1.169.5, 1.169.8
@tanstack/router-core: 1.169.5, 1.169.8
@tanstack/router-utils: 1.161.11, 1.161.14
@tanstack/router-plugin: 1.167.38, 1.167.41
@tanstack/virtual-file-routes: 1.161.10, 1.161.13
@tanstack/router-generator: 1.166.45, 1.166.48
@tanstack/start-server-core: 1.167.33, 1.167.36
@tanstack/start-client-core: 1.168.5, 1.168.8
@tanstack/start-storage-context: 1.166.38, 1.166.41
@tanstack/start-plugin-core: 1.169.23, 1.169.26
@tanstack/react-start-server: 1.166.55, 1.166.58
@tanstack/react-start-client: 1.166.51, 1.166.54
@tanstack/start-fn-stubs: 1.161.9, 1.161.12
@tanstack/react-start: 1.167.68, 1.167.71
@tanstack/react-start-rsc: 0.0.47, 0.0.50
@tanstack/react-router-devtools: 1.166.16, 1.166.19
@tanstack/router-devtools-core: 1.167.6, 1.167.9
@tanstack/router-devtools: 1.166.16, 1.166.19
@tanstack/router-ssr-query-core: 1.168.3, 1.168.6
@tanstack/react-router-ssr-query: 1.166.15, 1.166.18
@tanstack/router-cli: 1.166.46, 1.166.49
@tanstack/zod-adapter: 1.166.12, 1.166.15
@tanstack/valibot-adapter: 1.166.12, 1.166.15
@tanstack/arktype-adapter: 1.166.12, 1.166.15
@tanstack/eslint-plugin-router: 1.161.9
@tanstack/router-vite-plugin: 1.166.53, 1.166.56
@tanstack/nitro-v2-vite-plugin: 1.154.12, 1.154.15
@tanstack/solid-router: 1.169.5, 1.169.8
@tanstack/solid-start: 1.167.65, 1.167.68
@tanstack/solid-start-client: 1.166.50, 1.166.53
@tanstack/solid-start-server: 1.166.54, 1.166.57
@tanstack/solid-router-devtools: 1.166.16, 1.166.19
@tanstack/solid-router-ssr-query: 1.166.15, 1.166.18
@tanstack/start-static-server-functions: 1.166.44, 1.166.47
@tanstack/vue-router: 1.169.5, 1.169.8
@tanstack/vue-start: 1.167.61, 1.167.64
@tanstack/vue-start-server: 1.166.50, 1.166.53
@tanstack/vue-start-client: 1.166.46, 1.166.49
@mistralai/mistralai: 2.2.2, 2.2.3, 2.2.4
@mistralai/mistralai-gcp: 1.7.1, 1.7.2, 1.7.3
@uipath/apollo-react: 4.24.5
@uipath/apollo-wind: 2.16.2
@uipath/cli: 1.0.1
@uipath/rpa-tool: 0.9.5
@squawk/types: 0.8.2, 0.8.3, 0.8.4
@squawk/mcp: 0.9.1, 0.9.2, 0.9.3, 0.9.4
@squawk/weather: 0.5.6, 0.5.7, 0.5.8, 0.5.9
@squawk/airspace: 0.8.1, 0.8.2, 0.8.3, 0.8.4
@squawk/icao-registry-data: 0.8.4, 0.8.5, 0.8.6, 0.8.7
safe-action: 0.8.3, 0.8.4
IOCs
Domains
git-tanstack.com: primary C2 (lookalike of tanstack.com)codeload.github.com: abused (legitimate service used to fetch the Bun runtime)
Host artifacts
2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96: payload (tanstack_runner.js)
